Download pdf - Securing Your Cloud Applications

© 2015 IBM Corporation

Securing Your Cloud Applications

Nataraj (Raj) NagaratnamCTO for Security Solutions, IBM Security

Sreekanth IyerExecutive IT Architect, IBM Security

Jeffrey HoyCloud Security Architect, IBM Security

Agenda

• Security for Infrastructure Services (IBM SoftLayer)

• Security for Platform Services (IBM Bluemix)

1

IaaS

PaaS

Cloud is rapidly transforming the enterprise

External StakeholdersTraditional Enterprise IT

Public CloudPrivate Cloud

PaaSDevelopment

services

SaaSBusiness

applications

IaaSInfrastructure

services

100+ IBM Offerings

HR,CRM, SCM

Data archive

App development

100+ IBM Offerings

Online website

Cloud presents the opportunity to radically transform security practices

Dynamic Cloud SecurityStandardized, automated,

agile, and elastic

Traditional SecurityManual, static,

and reactive

Cloud security is not only achievable, it is an opportunity to drive the business, improve defenses and reduce risk

Clients focus on three imperatives for improving security

Detect threats with visibility across clouds

Govern theusage of cloud

Protect workloads and data in the cloud

How can I understand who is accessing the cloud

from anywhere, at anytime?

How can I fix vulnerabilities and defend against attacks before they’re exploited?

How can I obtain a comprehensive view of cloud and traditional environments?

“I can take advantage of centralized cloud logging and auditing

interfaces to hunt for attacks.”

“Going to the cloud gives me a single

choke point for all user access ‒ it provides much more control.”

“Cloud gives me security APIs and

preconfigured policies to help protect my data

and workloads”

IBM Dynamic Cloud Security

Optimize Security Operations

ManageAccess

ProtectData

GainVisibility

SaaSPaaSIaaS

Structured Approach to Cloud Security

Assess and Govern

Focus for this Session

JKE Overview

6

JK Enterprises (JKE)

• A multinational financial services company that offers wide

range of wide range of financial and insurance products

and services

• Operates world-wide, with major offices in AP, EMEA and

US

• Employs approximately 5,500 staff

• Financial details include:

• A combined premium income of over $2.5 billion

• Investment assets of approximately $16.8 billion

• Customers include:

• End customers: over 2 million insured customers

• Brokers: over 200 registered brokers

• Has partnerships with a large number of partners, mainly

in the area of brokering and financial advice

• Provides internet customers and brokers with online

access to applications.

Securing Cloud – JKE Scenario

7

Focus for this Session

Security for Infrastructure Services

IaaS

Security comes “in” (inherent in) and “on” (accessible from) IaaS provider

Identity Protection Insight

Accessible “on” a IaaSCloud Provider – Bring your own security

Privileged admin

management

Access management

of web workloads

Network protection ‒

Firewalls, IPS, proxy

Host security,

vulnerability scanning

Encryption and key

management

Monitoring customer

hybrid infrastructure and

workloads.

Log, Audit, and

compliance reporting

Vulnerability management

Inherent “in” a IaaS Cloud Provider –Security provided in SoftLayer

Admin user

management

Isolation of VMs, and

dedicated instances

Security monitoring of

cloud infrastructure

Role and entitlement

management

Network firewalls,

VPNs; DoS protection

Platform intelligence

Federation of admin

users from

enterprises

Encryption of data at

rest and secure key

store

API access to cloud

service logs

IaaS

Security “in” (inherent in) IBM SoftLayer

SoftLayer Security

Features & Options

Physical DC Security

Logical Segregation

GeoTrust SSL Certificates

Two-Factor Authentication

for Portal Administrators

McAfee Host Protection

DC Site Affinity Option

IBM MSS - Fully Managed

Cloud Security Services

Hosted Web Defense (DDoS+WAF)

Hosted Application Security

Management Services

Hosted Security Event and Log

Management

Hosted Vulnerability Management

Managed FW, IDPS and UTM

Managed Email and Web Security

Comprehensive security for

IT assets deployed in

SoftLayer

VALUE

IBM SoftLayer and IBM Managed Security Services (MSS) provide

comprehensive cloud security solutions and capabilities for cloud customers –

IaaS

Scenario Overview

11

Enterprise Application

Dev/Test/ProdInfrastructure


IaaS


Description

1 JKE provisions infrastructure resources and moves to Cloud

2 JKE deploys their business application on Cloud

Privileged User Management

12

IaaS


1 JKE Cloud Administrator logs into SoftLayer

2 JKE Cloud Administrator provisions and sets up the required resources on Cloud

3 Weak management of password and administrator activities can compromise cloud systems

4 JKE implements Privileged User Management to monitor and audit cloud Admin activities

5 Privileged Identity Manager captures and tracks all actions by admin

JKE Cloud Administrator

IBM Security Privileged Identity Management

Dev/Test/ Prod

Infrastructure

Manage Access

Automated Provisioning of ISAM Virtual Appliance

13

IaaS


1 JKE likes to add web application protection for their application on cloud

2 JKE deploys ISAM Virtual Appliance on SoftLayer (Automated Provisioning and Configuration of ISAM Appliance on SoftLayer)

3 JKE can manage access and protect applications from attacks.

Employees

IBM Security Access Manager Virtual Appliance


Agents / Partners/ Customers

Manage Access

Log Management & Security Intelligence

14

IaaS


1 JKE Security Administrator wants visibility into their cloud infrastructure on SoftLayer

2 JKE Security Administrator uses IBM Security QRadar SIEM

3 QRadar collects all the events from security appliances, infrastructure and applications

4 QRadar detects anamolies, security threats and generates reports for audit and compliance.

JKE Security Administrator

IBM Security QRadar SIEM


Dev/Test/ProdInfrastructure

IBM Security

Access Manager

Virtual Appliance

IBM Security

Privileged Identity

Management

Employees


Gain Visibility

IBM Security capabilities (“On”) SoftLayer that enhances security of customer workloads

15

IaaS

Enterprise

Cloud

Administrators

Consolidated

logs and events

Portal and APIs

Application

users

Enterprise security monitoring

IBM Virtual SOC

services

Manage Access Protect Data Gain Visibility

Security for Platform Services

PaaS

Security comes “in” (inherent in) and “on” (accessible from) Provider

Identity Protection Insight

Accessible from a PaaS Cloud Provider ‒ Design your own security

APIs for

authentication/SSO of end

users, for services/apps

APIs to perform context

aware access

Security testing of App,

service and APIs

Key management APIs

APIs for fraud detection

IP reputation/threat

intelligence APIs

APIs for customer app log and

audit

Application security and real

time monitoring

Application vulnerability

management

Inherent “in” a PaaS Cloud Provider ‒ Security is “baked in” platform

Developers registration

and SSO

Group management;

Entitlements to apps,

services

Federation of

developers/platform users

Data protection and

compliance

Application container

Fabric and services

isolation and protection

Customer specific log and audit

trail APIs

Active security monitoring of

provider (not individual

customer services)

Hosted on

PaaS

Bluemix Platform Security Overview

18

“on” Bluemix Security

Single Sign On

• Add user authentication to your apps with policy-based configuration

• Zero coding approach

• Integrate with existing enterprise directory with SAML

• Option to chose from identity sources like Facebook, LinkedIn, and Google

• Option to create and use your own cloud directory

Key Features

SocialIdentities

Enterprise ID

Manage Access

AppScan Dynamic Analyzer

• Discover vulnerabilities before putting cloud apps into production

• Minimal configuration and developer training / preparation

• Scans authenticated and unauthenticated pages and identifies security issues

• Identifies a large variety of vulnerabilities, from OWASP Top 10, SANS Top 25 and more

• Produces a detailed security report - actionable information with remediation instructions

Key Features

Protect Data

AppScan Mobile Analyzer

• Based on Glass Box principles

• Identifies security issues in Android applications

• Produces a detailed security report

• Includes remediation steps

• Developer targeted information.

Key Features

Protect Data

Secure data warehousing and analytics

Data Encryption

Data Access Control

Activity Monitoring

dashDB

• Automatic encryption for data at rest using Advanced Encryption Standard (AES)

• Encryption for data in transit - SSL is automatically configured when dashDB database is

provisioned

• dashDB database is continuously monitored through IBM InfoSphere Guardium

• Database access control – define who has access to what objects in the database

Key Features

Protect Data

Security Intelligence for the hybrid cloud

Gain Visibility

Cloud Applications

Loggregator

• Facility to drain logs over syslog, syslog-tls or https through user provided service

• Includes all the events related to the app including staging and deployment

• Capability to distinguish the logs from different instances of the application

• Device Support Module (DSM) in QRadar for parsing CloudFoundry and application events

Key Features

Cloud Applications

User Provided

Service

SSO Access to Bluemix Application

25

PaaS


1 JKE Employees want to access business app deployed on Cloud by JKE Partner

2 JKE uses Identity as a SSO Service on Bluemix

3 Employees access the Bluemix application seamlessly using their enterprise/intranet ID (SAML Federation using Enterprise Bridge)

Employees

HealthCareApplication

Single Sign On (SSO) on IBM Bluemix

Partner

Manage Access

Social Access to Cloud Application

26

App Development

SocialApplication


PaaS


App Developers

Single Sign On (SSO) on IBM Bluemix

1 Marketing team wants to develop a new Cloud Systems of Engagement App

2 Uses IBM SSO Service Offering on Bluemix for SSO

3 Customers can access the Bluemix app using their social IDs

4 IDs of Contractors / Agents hired for the Marketing Campaign managed on Cloud Directory

Marketing Department

Manage Access

Cloud Application Security & Protection

27

App Development

Internet Application


PaaS

App Developers

IBM AppScan Dynamic Analyzer on Bluemix

1 App Developer wants to ensure the application is secure and there are no vulnerabilities

2 App Developer uses IBM Appscan Dynamic Analysis Service on Bluemix

3 App Developer gets a report on the App vulnerabilities and threats and recommendations on how to fix them

(JKE Subsidiary)

Protect Data

Securing Mobile Application

28

Mobile Application


PaaS

App Developers

IBM AppScan Mobile Analyzer on Bluemix

1 App Developer wants to ensure the mobile application is secure and has no vulnerabilities

2 App Developer uses IBM Appscan Mobile Analyzer Service on Bluemix

3 App Developer uploads the mobile application file (.apk)

4 App Developer gets a report on the Mobile App vulnerabilities, threats and recommendations

Protect Data

Database Service Security & Protection

29


PaaS

App Developers

InfoSphere Guardium

1 JKE use managed dataware housing and analytics services from the cloud (DashDB)

1 App Developer wants to ensure the access to the data is monitored

2 JKE gets reports on sensitive data access on the cloud


Protect Data

Security Intelligence for Bluemix Apps

30

App Development

Internet Application


PaaS


JKE Security Administrator

IBM Security QRadar SIEM

1 JKE Security Administrator wants visibility into their application on the cloud

2 JKE Security Administrator uses IBM Security QRadar SIEM

3 QRadar collects all the events related to the Bluemix Application

4 QRadar detects anomalies, security threats and generates reports for audit and compliance.

Gain Visibility

Open Standards&

IBM Cloud Security

32

Protect DataManage Access Gain Visibility

Kerberos RSA

AESTriple-DES

X.509Certificates

SHAHashing

KMIPKey Management

ISO 27018Data Protection for Cloud Services

PCI-DSSControls for Card Data

ISO 24760ID Management Architecture

ISO 17789Cloud Computing Reference Architecture

CSCCo Security for Cloud Computing:

10 Steps to Ensure Success Version 2.0

o Practical guide to Cloud SLAs

o Practical Guide to Cloud Computing

Version 2.0

o Cloud Security Standards: What to

Expect & Negotiate

ISO 29101Privacy Architecture Framework

ISO 27017Information Security Controls for Cloud Services

ISO 19794Biometric Interchange Formats

ISO 19086Cloud SLAs

CADFCloud Audit Data Federation

Cloud Security Standards*

* Indicative list only

Encryption

Cloud Computing Reference Architecture (CCRA)- Providing Prescriptive Guidance to secure Client Cloud Adoption Patterns

Capabilities provided to

consumers for using a

provider’s applications

Integrated service

management, automation,

provisioning, self service

Pre-built, pre-integrated IT

infrastructures tuned to

application-specific needs

Advanced platform for

creating, managing, and

monetizing cloud services

Cloud Enabled Data Center

Cloud Platform Services

Cloud Service Provider

Business Solutions on Cloud

Big Data / Analytics workload

on cloud

Social / Mobile workloads on

Cloud

Federal/Government

Workloads on Cloud

Big Data / Analytics

Mobile

G Cloud

IBM Dynamic Cloud Security Portfolio

Cloud Security Intelligence NEW! Cloud Identity Services NEW!

Cloud Sign On Service NEW!

Cloud Access Manager NEW!

Cloud Privileged Identity Manager NEW!

Cloud Data Activity Monitoring NEW!

Cloud Mobile Application Analyzer NEW!

Cloud Web Application Analyzer NEW!

Optimize Security OperationsDeliver a consolidated view of your security operations – at unprecedented speed and agility

Protect DataIdentify vulnerabilities and help prevent

attacks targeting sensitive data

Gain VisibilityMonitor the cloud for security breaches

and compliance violations

Intelligent Threat Protection Cloud

NEW!

Cloud Security Managed Services

NEW!

Security Intelligence and Operations

Consulting Services NEW!

SaaSPaaSIaaS

Manage AccessSafeguard people, applications,

and devices connecting to the cloud

Learn more about IBM Security

Visit our website

IBM Security Website

Watch our videos

IBM Security YouTube Channel

Read new blog posts

SecurityIntelligence.com

Follow us on Twitter

@ibmsecurity

IBM SecurityIntelligence. Integration. Expertise.

http://www-03.ibm.com/security/

https://www.youtube.com/channel/UClAgZm2OXFpX8WoMsOpWoXA

http://securityintelligence.com/

http://www.twitter.com/ibmsecurity

Notices and Disclaimers

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or

transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with

IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been

reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM

shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,

EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF

THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT

OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the

agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without

notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are

presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual

performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,

programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not

necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither

intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal

counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s

business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or

represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Notices and Disclaimers (con’t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published

announcements or other publicly available sources. IBM has not tested those products in connection with this

publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM

products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to

interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any

IBM patents, copyrights, trademarks or other intellectual property right.

• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document

Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,

ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,

PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,

pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,

urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of

International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and

service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on

the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

http://www.ibm.com/legal/copytrade.shtml

Thank YouYour Feedback is

Important!

Access the InterConnect 2015

Conference CONNECT Attendee

Portal to complete your session

surveys from your smartphone,

laptop or conference kiosk.